Windows Security Logging and Other Esoterica

thoughts from the Windows auditing team

Where do I get my information on Windows auditing?

Where do I get my information on Windows auditing?

  • Comments 1

You might want to know where I go to get my information on audit events and so forth.

Mostly I go to the source code or one of our developers.  For continuity-of-employment reasons I won't be posting a link to that here ;-)  We have some old specs and some new specs but sometimes the code doesn't function quite like the spec says it should so I usually go to the code instead of the spec.

However you can download the Windows Platform SDK for free, and it includes all the header files which define all the Windows error codes and so forth. 

I also search my email with Outlook 2007's Instant Search feature (yes that was a blatant plug).  A lot of times I find that I answered a question or had a discussion about something a long time ago.  This has become less useful lately as the legal guys are making us delete all our old email.  I am trying to capture some of this kind of content in this blog since hopefully it will outlive my email :-)  Maybe I will write a book.

I use the Technet Events & Errors web site.  This is the site where Event Viewer goes for content when you click the link in the bottom of an event.  Not all events are populated (actually only a small percentage have hand-written content).

I use Windows Live Search or sometimes that other search engine to search the internet for content, but only rarely.  Sometimes I go to Randy Smith's web site, Ultimate Window Security.

Anyway these are all my primary sources.

2007-02-08 Updated Platform SDK download link per PSDK group advice

Comments
Leave a Comment
  • Please add 8 and 1 and type the answer here:
  • Post